News

USCG Issues Cybersecurity Assessment Initial Scoping and Process Policy Letter

USCG Issues Cybersecurity Assessment Initial Scoping and Process Policy Letter

On June 2, 2026, the U.S. Coast Guard’s (USCG’s) Office of Cybersecurity Policy (CG-MCP) issued Policy Letter 01-26: Cybersecurity Assessment Initial Scoping and Process. The Policy Letter provides guidance that regulated entities may use to identify Information Technology (IT) and Operational Technology (OT) that is “in scope” for the purposes of applicability under the MTSA Cybersecurity Regulation (33 CFR Part 101 – Subpart F). This process is centered on the use of a Cybersecurity Assessment (CSA).

Note: The methodology / process outlined in the Policy Letter is not mandatory. Companies are free to utilize alternate approaches (e.g., “systems of systems” approach) to identify the IT/OT “in scope.”

CSA Scoping Approach

The Policy Letter describes the CSA as a risk-filtering process: Entities should first inventory systems, dependencies, and interfaces, then assess threats, vulnerabilities, likelihood, impact, and risk. It identifies three categories of assets:

  1. Internal Networks: Systems owned, operated, or technically controlled by the entity, such as Closed-Circuit Television servers, physical access control systems, cargo control systems, administrative workstations, and onboard or facility systems.
  1. External Networks / Dependencies: Third-party systems or services that support operations but are not directly controlled by the entity, such as cloud software, internet service providers, utilities, satellite communications, landlord networks, supply chain platforms, vendor connections, and bring-your-own-device environments.
  1. Interfaces: Physical, digital, wireless, cloud-based, or human-driven connection points where systems exchange information. These include VPNs, remote access tools, USB connections, Wi-Fi, Bluetooth, shared accounts, vendor access, and cloud service connections.

The Policy Letter states that even though the USCG does not directly regulate contractor or third-party networks, owners and operators remain responsible for managing cybersecurity risks created by their reliance on those external services – and the CSA should analyze those dependencies.

Recommended CSA Process

The Policy Letter provides an optional guide for conducting a CSA that includes the following steps:

  1. Prepare: Establish the assessment scope, risk tolerance, assumptions, constraints, necessary operational/business functions, and asset inventory.
  1. Conduct: Identify threats and vulnerabilities, determine likelihood and impact, evaluate risk, and identify priority assets that support necessary functions.
  1. Classify Critical IT/OT: Determine whether loss or degradation of a priority asset’s confidentiality, integrity, or availability could result in a Transportation Security Incident. Assets with a “Yes” or “Maybe” answer should receive heightened scrutiny and may need to be designated as “Critical IT/OT.” Sections of 33 CFR § 101.650 require additional cybersecurity measures for “Critical IT/OT.”
  1. Communicate and Document: Document vulnerabilities, recommendations, resolutions, and risk decisions in a CSA Report maintained with the Cybersecurity Plan.

Share:

More Posts

USCG Issues Waiver & Equivalency Guidance

On June 3, 2026, the U.S. Coast Guard’s (USCG’s) Office of Cybersecurity Policy (CG-MCP) issued Cybersecurity Waiver & Equivalency Guidance (MCP-WI-002) to provide a unified

USCG Publishes MTSA Cybersecurity FAQs

The USCG’s Cybersecurity in the Marine Transportation System (MTS) Final Rule became effective on July 16, 2025. In response to industry questions – and to